Security in Django
Building secure software becomes more important in these days. Django provides some default security features. Let’s take a look at it.
Built in security for
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- SQL injection
- Support for HTTPS and TLS
- Secure Password Storage
| Attack Name | Description | Django helps by |
|---|---|---|
| Cross-Site Scripting (XSS) | XSS enables attackers to inject client-side scripts into web pages viewed by other users | Automatically escaping data dynamically inserted into templates |
| Cross-Site Request Forgery (CSRF) | An exploit of a website where unauthorized commands are transmitted from a user that the web application trusts | Providing a built-in csrf_token template tag and csrftoken cookie |
| SQL Injection | A code injection technique used to attack data-driven applications, in which SQL statements are inserted into an entry field for execution | Providing a power ORM. As long as .raw() and .extra() are avoided SQL Injection is nearly impossible |
| Support for HTTPS and TLS | An adaptation of the Hypertext Transfer Protocol (HTTP) for secure communication over a computer network, and is widely used on the internet | * Providing SECURE_SSL_REDIRECT to redirect requests over HTTP to HTTPS * Providing SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE to secure cookies and POST requests |
| Secure Password Storage | * Never storing plain text passwords * Providing a flexible password storage system and uses PBKDF2 by default * Using the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST |
|
Leave a comment